hjarrell
commented
5 years ago Also roll back the token field on the Accounts.User model with a migration. We should instead be using Phoenix.token in combination with Absinthe.Plug. Also see: https://hexdocs.pm/absinthe/context-and-authentication.html#context-and-plugs
Guardian uses JWTs for authentication and that is not ideal for a website. JWTs are more for REST APIs and for services that need to pass authentication around. We should instead investigate a normal Session based login that uses HTTP Cookies and sets it to HTML only so that malicious JS can't access the user's token.